There are quite a few serious vulnerabilities highlighted this week, on many popular plugins.

The plugins below have extremely high severity vulnerabilities and are actively exploited.

BuddyPress Plugin
Directory Traversal; 9.9/10; Update to v14.2.1+

AMP for WP Plugin
CSRF; 8.8/10; Update to v1.0.99.2+

ProfilePress Pro Plugin
Broken Authentication; 8.1/10; Update to v4.11.2+

All-in-One WP Migration Plugin
PHP Object Injection; 7.2/10; Update to v7.87+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

The following commonly used plugins may not pose high risks, but millions of sites are affected.

Elementor – Header, Footer & Blocks Template Plugin
Sensitive Data Exposure; 4.3/10; Update to v1.6.44+

Shortcodes Ultimate Plugin
XSS; 6.5/10; Update to v7.3.0+

DearFlip Plugin
XSS; 7.1/10; Update to v2.3.42+

Qi Addons For Elementor Plugin
Sensitive Data Exposure; 4.3/10; Update to v1.8.1+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

Despite their lower usage, the plugins listed below present a very high risks. 2 have been removed from the wp.org with no-fix.

AR For WordPress Plugin
Arbitrary File Upload; 10/10; Removed from wp.org; No fix available; Remove/or replace.

Automatic Translation Plugin
Arbitrary File Upload; 10/10; Removed from wp.org; No fix available; Remove/or replace.

wpDiscuz Plugin
Broken Authentication; 9.8/10; Update to v7.6.25+

WP Social Plugin
Broken Authentication; 9.8/10; Update to v3.08+

Product Filter by WBW Plugin
SQL Injection; 7.6/10; Update to v2.7.1+

Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

WordPress has updated its Community Code of Conduct to prohibit sharing private messages without the sender’s consent, bringing the total unacceptable behaviors to 6.

This rule takes effect immediately, with violations managed under existing enforcement guidelines.

More Info →

#5 – Our Blog: Practical Ways to Lock Down File Editing

Disabling file editing in WordPress helps protect your site from unauthorised access to critical files and reduces the risk of both malicious attacks and accidental changes. By taking the simple step, you can make your site more secure and stable.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress